<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Configuring Kibana | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'saml-kibana.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/saml-kibana.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/saml-kibana.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/saml-kibana.html" rel="nofollow" target="_blank">../en/saml-kibana.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="saml-guide.html">Configuring SAML single-sign-on on the Elastic Stack</a></span>
»
<span class="breadcrumb-node">Configuring Kibana</span>
</div>
<div class="navheader">
<span class="prev">
<a href="saml-user-metadata.html">« User metadata</a>
</span>
<span class="next">
<a href="saml-troubleshooting.html">Troubleshooting SAML Realm Configuration »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="saml-kibana"></a>Configuring Kibana<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/saml-guide.asciidoc">edit</a>
</h2>
</div></div></div>
<p>SAML authentication in Kibana requires a small number of additional settings
in addition to the standard Kibana security configuration. The
<a href="https://www.elastic.co/guide/en/kibana/7.7/using-kibana-with-security.html" class="ulink" target="_top">Kibana security documentation</a>
provides details on the available configuration options that you can apply.</p>
<p>In particular, since your Elasticsearch nodes have been configured to use TLS on the HTTP
interface, you must configure Kibana to use a <code class="literal">https</code> URL to connect to Elasticsearch, and
you may need to configure <code class="literal">elasticsearch.ssl.certificateAuthorities</code> to trust
the certificates that Elasticsearch has been configured to use.</p>
<p>SAML authentication in Kibana is also subject to the
<code class="literal">xpack.security.sessionTimeout</code> setting that is described in the Kibana security
documentation, and you may wish to adjust this timeout to meet your local needs.</p>
<p>The three additional settings that are required for SAML support are shown below:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.authc.providers:
  saml.saml1:
    order: 0
    realm: "saml1"</pre>
</div>
<p>The configuration values used in the example above are:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">xpack.security.authc.providers</code>
</span>
</dt>
<dd>
Add <code class="literal">saml</code> provider to instruct Kibana to use SAML SSO as the authentication
method.
</dd>
<dt>
<span class="term">
<code class="literal">xpack.security.authc.providers.saml.&lt;provider-name&gt;.realm</code>
</span>
</dt>
<dd>
Set this to the name of the SAML realm that you have used in your <a class="xref" href="saml-guide-authentication.html#saml-create-realm" title="Create a SAML realm">Elasticsearch realm configuration</a>, for instance: <code class="literal">saml1</code>
</dd>
</dl>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="saml-kibana-basic"></a>Supporting SAML and basic authentication in Kibana<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/saml-guide.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The SAML support in Kibana is designed on the expectation that it will be the
primary (or sole) authentication method for users of that Kibana instance.
However, it is possible to support both SAML and Basic authentication within a
single Kibana instance by setting <code class="literal">xpack.security.authc.providers</code> as per the
example below:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.authc.providers:
  saml.saml1:
    order: 0
    realm: "saml1"
  basic.basic1:
    order: 1</pre>
</div>
<p>If Kibana is configured in this way, users are presented with a choice
at the Login Selector UI. They log in with SAML or they provide a username and password and rely on one
of the other security realms within Elasticsearch. Only users who have
a username and password for a configured Elasticsearch authentication realm can
log in via Kibana login form.</p>
<p>Alternatively, when the <code class="literal">basic</code> authentication provider is enabled, you can
place a reverse proxy in front of Kibana, and configure it to send a basic
authentication header (<code class="literal">Authorization: Basic ....</code>) for each request.
If this header is present and valid, Kibana will not initiate the SAML
authentication process.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_operating_multiple_kibana_instances"></a>Operating multiple Kibana instances<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authentication/saml-guide.asciidoc">edit</a>
</h3>
</div></div></div>
<p>If you wish to have multiple Kibana instances that authenticate against the same
Elasticsearch cluster, then each Kibana instance that is configured for SAML authentication,
requires its own SAML realm.</p>
<p>Each SAML realm must have its own unique Entity ID (<code class="literal">sp.entity_id</code>), and its own
<em>Assertion Consumer Service</em> (<code class="literal">sp.acs</code>). Each Kibana instance will be mapped to
the correct realm by looking up the matching <code class="literal">sp.acs</code> value.</p>
<p>These realms may use the same Identity Provider, but are not required to.</p>
<p>The following is example of having 3 difference Kibana instances, 2 of which
use the same internal IdP, and another which uses a different IdP.</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.authc.realms.saml.saml_finance:
  order: 2
  idp.metadata.path: saml/idp-metadata.xml
  idp.entity_id: "https://sso.example.com/"
  sp.entity_id:  "https://kibana.finance.example.com/"
  sp.acs: "https://kibana.finance.example.com/api/security/v1/saml"
  sp.logout: "https://kibana.finance.example.com/logout"
  attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
  attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
xpack.security.authc.realms.saml.saml_sales:
  order: 3
  idp.metadata.path: saml/idp-metadata.xml
  idp.entity_id: "https://sso.example.com/"
  sp.entity_id:  "https://kibana.sales.example.com/"
  sp.acs: "https://kibana.sales.example.com/api/security/v1/saml"
  sp.logout: "https://kibana.sales.example.com/logout"
  attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
  attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
xpack.security.authc.realms.saml.saml_eng:
  order: 4
  idp.metadata.path: saml/idp-external.xml
  idp.entity_id: "https://engineering.sso.example.net/"
  sp.entity_id:  "https://kibana.engineering.example.com/"
  sp.acs: "https://kibana.engineering.example.com/api/security/v1/saml"
  sp.logout: "https://kibana.engineering.example.com/logout"
  attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"</pre>
</div>
<p>It is possible to have one or more Kibana instances that use SAML, while other
instances use basic authentication against another realm type (e.g.
<a class="xref" href="native-realm.html" title="Native user authentication">Native</a> or <a class="xref" href="ldap-realm.html" title="LDAP user authentication">LDAP</a>).</p>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="saml-user-metadata.html">« User metadata</a>
</span>
<span class="next">
<a href="saml-troubleshooting.html">Troubleshooting SAML Realm Configuration »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>